Sanitize product inputs

master
Mark Moffat 2018-12-12 00:31:56 +11:00
parent 1d2522668a
commit b4a9ba3064
4 changed files with 171 additions and 14 deletions

View File

@ -8,6 +8,7 @@ const path = require('path');
const glob = require('glob'); const glob = require('glob');
const async = require('async'); const async = require('async');
const nodemailer = require('nodemailer'); const nodemailer = require('nodemailer');
const sanitizeHtml = require('sanitize-html');
const escape = require('html-entities').AllHtmlEntities; const escape = require('html-entities').AllHtmlEntities;
let ObjectId = require('mongodb').ObjectID; let ObjectId = require('mongodb').ObjectID;
@ -65,6 +66,10 @@ exports.checkLogin = (req, res, next) => {
res.redirect('/admin/login'); res.redirect('/admin/login');
}; };
exports.cleanHtml = (html) => {
return sanitizeHtml(html);
};
exports.mongoSanitize = (param) => { exports.mongoSanitize = (param) => {
if(param instanceof Object){ if(param instanceof Object){
for(const key in param){ for(const key in param){

166
package-lock.json generated
View File

@ -549,8 +549,7 @@
"array-uniq": { "array-uniq": {
"version": "1.0.3", "version": "1.0.3",
"resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz", "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
"integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=", "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY="
"dev": true
}, },
"array-unique": { "array-unique": {
"version": "0.3.2", "version": "0.3.2",
@ -2129,7 +2128,6 @@
"version": "1.9.1", "version": "1.9.1",
"resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.1.tgz", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.1.tgz",
"integrity": "sha512-mjGanIiwQJskCC18rPR6OmrZ6fm2Lc7PeGFYwCmy5J34wC6F1PzdGL6xeMfmgicfYcNLGuVFA3WzXtIDCQSZxQ==", "integrity": "sha512-mjGanIiwQJskCC18rPR6OmrZ6fm2Lc7PeGFYwCmy5J34wC6F1PzdGL6xeMfmgicfYcNLGuVFA3WzXtIDCQSZxQ==",
"dev": true,
"requires": { "requires": {
"color-name": "^1.1.1" "color-name": "^1.1.1"
} }
@ -2137,8 +2135,7 @@
"color-name": { "color-name": {
"version": "1.1.3", "version": "1.1.3",
"resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
"integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU="
"dev": true
}, },
"color-support": { "color-support": {
"version": "1.1.3", "version": "1.1.3",
@ -5892,8 +5889,7 @@
"lodash.clonedeep": { "lodash.clonedeep": {
"version": "4.5.0", "version": "4.5.0",
"resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz", "resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz",
"integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8=", "integrity": "sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8="
"dev": true
}, },
"lodash.clonedeepwith": { "lodash.clonedeepwith": {
"version": "4.5.0", "version": "4.5.0",
@ -5924,6 +5920,11 @@
"integrity": "sha1-nMtOUF1Ia5FlE0V3KIWi3yf9AXw=", "integrity": "sha1-nMtOUF1Ia5FlE0V3KIWi3yf9AXw=",
"dev": true "dev": true
}, },
"lodash.escaperegexp": {
"version": "4.1.2",
"resolved": "https://registry.npmjs.org/lodash.escaperegexp/-/lodash.escaperegexp-4.1.2.tgz",
"integrity": "sha1-ZHYsSGGAglGKw99Mz11YhtriA0c="
},
"lodash.filter": { "lodash.filter": {
"version": "4.6.0", "version": "4.6.0",
"resolved": "https://registry.npmjs.org/lodash.filter/-/lodash.filter-4.6.0.tgz", "resolved": "https://registry.npmjs.org/lodash.filter/-/lodash.filter-4.6.0.tgz",
@ -5956,6 +5957,11 @@
"resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz",
"integrity": "sha1-fFJqUtibRcRcxpC4gWO+BJf1UMs=" "integrity": "sha1-fFJqUtibRcRcxpC4gWO+BJf1UMs="
}, },
"lodash.isstring": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz",
"integrity": "sha1-1SfftUVuynzJu5XV2ur4i6VKVFE="
},
"lodash.map": { "lodash.map": {
"version": "4.6.0", "version": "4.6.0",
"resolved": "https://registry.npmjs.org/lodash.map/-/lodash.map-4.6.0.tgz", "resolved": "https://registry.npmjs.org/lodash.map/-/lodash.map-4.6.0.tgz",
@ -5966,6 +5972,11 @@
"resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.0.tgz", "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.0.tgz",
"integrity": "sha1-aYhLoUSsM/5plzemCG3v+t0PicU=" "integrity": "sha1-aYhLoUSsM/5plzemCG3v+t0PicU="
}, },
"lodash.mergewith": {
"version": "4.6.1",
"resolved": "https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz",
"integrity": "sha512-eWw5r+PYICtEBgrBE5hhlT6aAa75f411bgDz/ZL2KZqYV03USvucsxcHUIlGTDTECs1eunpI7HOV7U+WLDvNdQ=="
},
"lodash.pick": { "lodash.pick": {
"version": "4.4.0", "version": "4.4.0",
"resolved": "https://registry.npmjs.org/lodash.pick/-/lodash.pick-4.4.0.tgz", "resolved": "https://registry.npmjs.org/lodash.pick/-/lodash.pick-4.4.0.tgz",
@ -6565,8 +6576,7 @@
"number-is-nan": { "number-is-nan": {
"version": "1.0.1", "version": "1.0.1",
"resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz", "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
"integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=", "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0="
"dev": true
}, },
"numeral": { "numeral": {
"version": "2.0.6", "version": "2.0.6",
@ -7179,6 +7189,54 @@
"integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=", "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=",
"dev": true "dev": true
}, },
"postcss": {
"version": "7.0.6",
"resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.6.tgz",
"integrity": "sha512-Nq/rNjnHFcKgCDDZYO0lNsl6YWe6U7tTy+ESN+PnLxebL8uBtYX59HZqvrj7YLK5UCyll2hqDsJOo3ndzEW8Ug==",
"requires": {
"chalk": "^2.4.1",
"source-map": "^0.6.1",
"supports-color": "^5.5.0"
},
"dependencies": {
"ansi-styles": {
"version": "3.2.1",
"resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
"integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
"requires": {
"color-convert": "^1.9.0"
}
},
"chalk": {
"version": "2.4.1",
"resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.1.tgz",
"integrity": "sha512-ObN6h1v2fTJSmUXoS3nMQ92LbDK9be4TV+6G+omQlGJFdcUX5heKi1LZ1YnRMIgwTLEj3E24bT6tYni50rlCfQ==",
"requires": {
"ansi-styles": "^3.2.1",
"escape-string-regexp": "^1.0.5",
"supports-color": "^5.3.0"
}
},
"has-flag": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
"integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0="
},
"source-map": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
"integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
},
"supports-color": {
"version": "5.5.0",
"resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
"integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
"requires": {
"has-flag": "^3.0.0"
}
}
}
},
"prelude-ls": { "prelude-ls": {
"version": "1.1.2", "version": "1.1.2",
"resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz", "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz",
@ -7744,6 +7802,87 @@
"ret": "~0.1.10" "ret": "~0.1.10"
} }
}, },
"sanitize-html": {
"version": "1.19.3",
"resolved": "https://registry.npmjs.org/sanitize-html/-/sanitize-html-1.19.3.tgz",
"integrity": "sha512-QpIjbF1rhUSQj9V7Wey/gv4DPqOso8KTebaI4rC97p0WCLnTpmhf7BJZUhS83MTtqRvUo8MuXH316CW2Nzd48w==",
"requires": {
"chalk": "^2.4.1",
"htmlparser2": "^3.10.0",
"lodash.clonedeep": "^4.5.0",
"lodash.escaperegexp": "^4.1.2",
"lodash.isplainobject": "^4.0.6",
"lodash.isstring": "^4.0.1",
"lodash.mergewith": "^4.6.1",
"postcss": "^7.0.5",
"srcset": "^1.0.0",
"xtend": "^4.0.1"
},
"dependencies": {
"ansi-styles": {
"version": "3.2.1",
"resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
"integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
"requires": {
"color-convert": "^1.9.0"
}
},
"chalk": {
"version": "2.4.1",
"resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.1.tgz",
"integrity": "sha512-ObN6h1v2fTJSmUXoS3nMQ92LbDK9be4TV+6G+omQlGJFdcUX5heKi1LZ1YnRMIgwTLEj3E24bT6tYni50rlCfQ==",
"requires": {
"ansi-styles": "^3.2.1",
"escape-string-regexp": "^1.0.5",
"supports-color": "^5.3.0"
}
},
"has-flag": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
"integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0="
},
"htmlparser2": {
"version": "3.10.0",
"resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-3.10.0.tgz",
"integrity": "sha512-J1nEUGv+MkXS0weHNWVKJJ+UrLfePxRWpN3C9bEi9fLxL2+ggW94DQvgYVXsaT30PGwYRIZKNZXuyMhp3Di4bQ==",
"requires": {
"domelementtype": "^1.3.0",
"domhandler": "^2.3.0",
"domutils": "^1.5.1",
"entities": "^1.1.1",
"inherits": "^2.0.1",
"readable-stream": "^3.0.6"
}
},
"readable-stream": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.0.6.tgz",
"integrity": "sha512-9E1oLoOWfhSXHGv6QlwXJim7uNzd9EVlWK+21tCU9Ju/kR0/p2AZYPz4qSchgO8PlLIH4FpZYfzwS+rEksZjIg==",
"requires": {
"inherits": "^2.0.3",
"string_decoder": "^1.1.1",
"util-deprecate": "^1.0.1"
}
},
"string_decoder": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.2.0.tgz",
"integrity": "sha512-6YqyX6ZWEYguAxgZzHGL7SsCeGx3V2TtOTqZz1xSTSWnqsbWwbptafNyvf/ACquZUXV3DANr5BDIwNYe1mN42w==",
"requires": {
"safe-buffer": "~5.1.0"
}
},
"supports-color": {
"version": "5.5.0",
"resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
"integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
"requires": {
"has-flag": "^3.0.0"
}
}
}
},
"semver": { "semver": {
"version": "5.4.1", "version": "5.4.1",
"resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz", "resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz",
@ -8113,6 +8252,15 @@
"integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=", "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=",
"dev": true "dev": true
}, },
"srcset": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/srcset/-/srcset-1.0.0.tgz",
"integrity": "sha1-pWad4StC87HV6D7QPHEEb8SPQe8=",
"requires": {
"array-uniq": "^1.0.2",
"number-is-nan": "^1.0.0"
}
},
"stack-trace": { "stack-trace": {
"version": "0.0.10", "version": "0.0.10",
"resolved": "https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.10.tgz", "resolved": "https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.10.tgz",

View File

@ -38,6 +38,7 @@
"paypal-rest-sdk": "^1.6.9", "paypal-rest-sdk": "^1.6.9",
"rand-token": "^0.4.0", "rand-token": "^0.4.0",
"rimraf": "^2.6.2", "rimraf": "^2.6.2",
"sanitize-html": "^1.19.3",
"sitemap": "^1.6.0", "sitemap": "^1.6.0",
"strip-bom": "^3.0.0", "strip-bom": "^3.0.0",
"stripe": "^5.4.0", "stripe": "^5.4.0",

View File

@ -81,10 +81,10 @@ router.post('/admin/product/insert', common.restrict, common.checkAccess, (req,
productPermalink: req.body.frmProductPermalink, productPermalink: req.body.frmProductPermalink,
productTitle: req.body.frmProductTitle, productTitle: req.body.frmProductTitle,
productPrice: req.body.frmProductPrice, productPrice: req.body.frmProductPrice,
productDescription: req.body.frmProductDescription, productDescription: common.cleanHtml(req.body.frmProductDescription),
productPublished: req.body.frmProductPublished, productPublished: req.body.frmProductPublished,
productTags: req.body.frmProductTags, productTags: req.body.frmProductTags,
productOptions: req.body.productOptJson, productOptions: common.cleanHtml(req.body.productOptJson),
productComment: common.checkboxBool(req.body.frmProductComment), productComment: common.checkboxBool(req.body.frmProductComment),
productAddedDate: new Date() productAddedDate: new Date()
}; };
@ -198,6 +198,7 @@ router.post('/admin/product/update', common.restrict, common.checkAccess, (req,
res.redirect('/admin/product/edit/' + req.body.frmProductId); res.redirect('/admin/product/edit/' + req.body.frmProductId);
return; return;
} }
if(count > 0 && req.body.frmProductPermalink !== ''){ if(count > 0 && req.body.frmProductPermalink !== ''){
// permalink exits // permalink exits
req.session.message = 'Permalink already exists. Pick a new one.'; req.session.message = 'Permalink already exists. Pick a new one.';
@ -218,15 +219,17 @@ router.post('/admin/product/update', common.restrict, common.checkAccess, (req,
common.getImages(req.body.frmProductId, req, res, (images) => { common.getImages(req.body.frmProductId, req, res, (images) => {
let productDoc = { let productDoc = {
productTitle: req.body.frmProductTitle, productTitle: req.body.frmProductTitle,
productDescription: req.body.frmProductDescription, productDescription: common.cleanHtml(req.body.frmProductDescription),
productPublished: req.body.frmProductPublished, productPublished: req.body.frmProductPublished,
productPrice: req.body.frmProductPrice, productPrice: req.body.frmProductPrice,
productPermalink: req.body.frmProductPermalink, productPermalink: req.body.frmProductPermalink,
productTags: req.body.frmProductTags, productTags: common.cleanHtml(req.body.frmProductTags),
productOptions: req.body.productOptJson, productOptions: common.cleanHtml(req.body.productOptJson),
productComment: common.checkboxBool(req.body.frmProductComment) productComment: common.checkboxBool(req.body.frmProductComment)
}; };
console.log('test', productDoc);
// if no featured image // if no featured image
if(!product.productImage){ if(!product.productImage){
if(images.length > 0){ if(images.length > 0){